fix(sops): use NixOS system module on WSL to avoid systemd user service failure

modules/nixos/default.nix

@@ -5,6 +5,7 @@
     ./base.nix
     ./docker.nix
     ./locale.nix
+    ./secrets.nix
   ];
 
   # ── Default shell ──────────────────────────────────

modules/nixos/secrets.nix

@@ -0,0 +1,28 @@
+{ username, ... }:
+
+{
+  # ── sops (system-level) ─────────────────────────────
+  # Use NixOS module instead of home-manager module to avoid
+  # systemd user service issues on WSL.
+  # Secrets are placed in /run/secrets/<name>.
+  sops = {
+    age.sshKeyPaths = [ "/home/${username}/.ssh/id_ed25519" ];
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+
+    secrets = {
+      ai_gateway_base_url = {
+        owner = username;
+      };
+      ai_gateway_api_key = {
+        owner = username;
+      };
+      exa_api_key = {
+        owner = username;
+      };
+      context7_api_key = {
+        owner = username;
+      };
+    };
+  };
+}